US Retailers on High Alert After ModPos Malware Warning

Security experts are warning of a major new sophisticated POS malware framework which could wreak havoc among US retailers as they head into the busy Black Friday shopping period.

The so-called “ModPos” malware has already been targeted at US retailers and is likely being used elsewhere in a bid to nab card details, according to iSight Partners.

The firm said in a blog post that it has already briefed “numerous” retailers and payments firms and is working with the Retail Cyber Intelligence Sharing Center (R-CISC) to help stop the POS malware spreading further.

“The actors behind the ModPOS software have exhibited a very professional level of software development proficiency, creating a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence,” the firm explained.

“Thus, ModPOS can go undetected by numerous types of modern security defenses.”

As its name suggests, the malware is modular in nature, meaning it can be configured according to its target with various capabilities including keylogger, POS RAM scraper, uploader/downloader and “custom plugins” for things like network reconnaissance.

“The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls,” the firm said.

Part of the ModPos framework has been spotted dating as far back as 2012, with retailers targeted in 2013 and 2014. Although it has taken iSight some time to reverse engineer this sophisticated code, it’s believed it could originate from Eastern Europe.

The firm warned that even retailers that have implemented EMV could have POS data stolen if they’ve not implemented end-to-end encryption including data in memory.

Although chip and PIN makes it very difficult to clone a card, the data could still be used to attempt card-not-present fraud.

The news comes just a week after Proofpoint warned of new POS malware ready in time for the busy festive shopping season.

AbaddonPOS is also fitted with anti-analysis and obfuscation techniques to prevent manual and automatic analysis.

Another piece of POS malware, Cherry Picker, has also been detected. This one apparently cleans itself from an infected system once it has stolen the data it’s looking for—making it doubly tricky to detect and investigate.